The first lesson learnt when one is working in a big enterprise, is the use of the risk-based approach. Risk based approaches take for account the calculative measures of risk to the action taken to counter it. A great definition of what risk based approach means in the context of information security is given by SANS under their Information Security Risk Management paper, the MGT442. They give ten great points which are the following:

1. Develop basic security and policy standards
2. Establish an asset inventory ( yes you know where this came from; the SANS Top 20 CC)
3. Establish Information Security leads
4. Implement an Enterprise Risk Committee
5. Define a common approach to risk calculations
6. Establish a threat and vulnerability assessment program
7. Establish a compliance to standards review process
8. Conduct basic risk assessments for vendors
9. Implement a risk and assessment tracking system
10. Launch a risk awareness campaign.

Given all the points above, we can always fall short to follow up on one of this ten points in implementing the RBA (Risk based approach). To counter this, we can implement AGILE to run active follow ups and improve the maturity of the security space in the organisation. So one might ask. what is AGILE? AGILE is …

https://en.wikipedia.org/wiki/Agile_management

Yes its a dynamic and iterative method of managing a project. It complements with the dynamism of the security and risk space in the current age.

So, are you ready to implement this marriage of two systems into your organisation?